WebRTC Security Hole Leaks Real IP Addresses

Virtual private network (VPN) and proxy users could face serious security issues if they don’t take proper steps to protect themselves. The massive flaw comes in by way of WebRTC (short for Web Real-Time Communication) and the browsers that support it.

The threat allows websites to see local home IP addresses, even with a VPN — but there is a solution for IPVanish users.

What is WebRTC?

If you’re not familiar with WebRTC, it’s a technology that simplifies real-time communications in a web browser. WebRTC is an open-sourced protocol that supports browser-to-browser apps for voice calling, video chat, and file sharing. It’s a widely-supported plugin used by the most popular web browsers, most notably Mozilla Firefox and Google Chrome.

How are IP addresses leaking?

So, in this WebRTC security hole, a website can use a simple script to access IP address information from STUN servers.
These STUN (Session Traversal Utilities for NAT) servers are used by VPNs to translate a local home IP address to a new public IP address and vice-versa. To do this, the STUN server maintains a table of both your VPN-based public IP and your local (“real”) IP during connectivity. The local and public IP addresses of the user can be pulled from these requests with JavaScript.
Wireless routers at home replicate a similar function in translating private IP addresses to public and back. A researcher from San Francisco, Daniel Roesler, posted a demonstration to illustrate how the WebRTC vulnerability works. The STUN server sends a ping back that contains the IP address and port of the client. While Roesler’s demo claimed that the browser vulnerability was unfixable, there are several solutions.

Who is affected and how can the security hole be fixed?

While there are existing reports that only Windows operating systems are affected, this is actually a web browser problem. Both Windows and Macintosh users are equally at risk. Default browsers Internet Explorer and Safari are not affected by the WebRTC flaw because they do not support the protocol. But Firefox and Chrome users have a problem to fix.

Mozilla Firefox users can either download NoScript from Firefox Add-Ons, or type about:config in the address bar and setting ‘media.peerconnection.enabled‘ to ‘False.’

Google Chrome users are unfortunately affected to a point where there is no complete protection. While an extension called the WebRTC Network Limiter was released over the summer of 2015 as a fix to this issue, there are some reports that there are still leaks in specific instances.

Alternatively, those that use the affected browsers can set up a wireless home router to connect to their VPN service directly. This removes the likelihood of a software-based (or in this case, a browser-based) flaw from exposing any information about the user.

Thanks for your excellent service! I have a couple of questions about the WebRTC Security Hole:

1. Does this also affect downloading from usenet, using i.e. Sabnzbd or is this only relevant when using my browser (in my case Chrome, with RtcBlock plugin installed and active
2.When I check my Ip Address with ‘IpLeak’ in Chrome, it shows in the ‘Your IP address – WebRTC detection’ 1 ip address which reveals my country and provider (in this case somewhere in Germany), although IpVanish is connected to a server in Amsterdam, the Netherlands.

I am basically only worried about detection while downloading from usenet and (sometimes) torrent sites….

Thanks for writing in, see answers to your questions below:
1. WebRTC only affects your browser so with an appropriate WebRTC blocking plugin installed you should be fine.
2. Services like IPLeak use databases to compare server IPs with geolocation data, most of time these geolocation databases contain information that often does not reflect a server’s true and actual location. Our servers are indeed located in the locations listed in our server list.

[…] IPVanish has reported on the real possibility that Virtual private network (VPN) and proxy users can face serious security issues if they don’t take proper steps to protect their accounts. The threat allows websites to see local home IP addresses, but there is a solution for IPVanish users. The massive flaw comes in by way of WebRTC (Web RTC, Web Real-Time Communication) and the browsers that support this communications protocol. […]

[…] IPVanish has reported on the real possibility that Virtual private network (VPN) and proxy users can face serious security issues if they don’t take proper steps to protect their accounts. The threat allows websites to see local home IP addresses, but there is a solution for IPVanish users. The massive flaw comes in by way of WebRTC (Web RTC, Web Real-Time Communication) and the browsers that support this communications protocol. […]